CrowdSec•4mo ago

ban disappeared before expiration

Yesterday, I manually added a decision about the IP 190.108.82.105 for 960h. I checked it was correctly displayed in CrowdsecSec decisions. Some minutes ago I got hit by my CEO because the hacker used that IP again today. I checked the traefik bouncer was effective by banning myself for 15min with success. Why the 960h ban disappeared in less than 24h ? Thank you.

- CrowdSec Console

CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.

13 Replies

CrowdSec•4mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

Loz•4mo ago

So if you check cscli decisions list --ip 190.108.82.105 you still see it? please note, that using traefik does stop the request from going downstream to your application. However, it doesnt completely block the connection so scenarios can trigger again / get logged by traefik. So if you see a trigger it doesnt mean it wasnt blocked but they hit your infrastructure.

ookOP•4mo ago

I see it in decisions tab on the website, I don’t see it in cscli on lapi. and he definitly reach our application since he exploited some leaked passwords (dude seriously, never reuse the same password on different services…) oh, I see on the site the status is « applying » seems the site can’t reach my lapi. How possible?

Loz•4mo ago

what version is your crowdsec?

ookOP•4mo ago

crowdsec-lapi-7678bd9784-4qtcd:/# cscli version
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_15:56:53
GoVersion: 1.24.1
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

crowdsec-lapi-7678bd9784-4qtcd:/# cscli version
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_15:56:53
GoVersion: 1.24.1
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

hum… well. There’s no ingress so CS can « push » to my lapi pod. Is lapi periodically pulling manual decision made on the website UI?

Loz•4mo ago

On your version, not unless you specified the console management flag, on version 1.6.11 the latest this flag is no more and the engine automatically enables this if your on an enterprise account So best if you upgrade when you can to the latest version if possible.

ookOP•4mo ago

Will do soon. Thank you. So I upgraded to the latest crowdsec helm chart, and now I’m running :

version: v1.6.10-79870769
Codename: alphaga
BuildDate: 2025-07-10_13:49:04
GoVersion: 1.24.5
Platform: docker

version: v1.6.10-79870769
Codename: alphaga
BuildDate: 2025-07-10_13:49:04
GoVersion: 1.24.5
Platform: docker

I see the old decision put through the website via the source console I’ll watch if the decision dissappear before expiration, before marking this as solved. Sadly, the issue is still open. I kept lapi console opened overnight to check. I gathered under reason « Thief » a collection of bad ips captured by our business team: So yesterday around 7pm i got:

crowdsec-lapi-847d79d98f-v2grv:/# cscli decisions list -s Thief
╭──────────┬─────────┬───────────────────────────────────────────┬────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│    ID    │  Source │                Scope:Value                │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├──────────┼─────────┼───────────────────────────────────────────┼────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 83169374 │ cscli   │ Ip:67.21.32.150                           │ Thief  │ ban    │         │    │ 1      │ 959h45m26s │ 633280   │
│ 83169373 │ cscli   │ Ip:192.158.226.22                         │ Thief  │ ban    │         │    │ 1      │ 959h45m12s │ 633279   │
│ 82983365 │ cscli   │ Ip:67.21.32.149                           │ Thief  │ ban    │         │    │ 1      │ 959h23m4s  │ 633155   │
│ 82611451 │ console │ Ip:2806:262:483:8df:b01e:2c35:846d:48e6   │ Thief  │ ban    │         │    │ 0      │ 790h28m39s │ 631142   │
│ 82427033 │ cscli   │ Ip:2806:370:735b:6512:bc47:6dc8:3ccb:cb38 │ Thief  │ ban    │         │    │ 1      │ 932h41m3s  │ 630830   │
│ 82427031 │ cscli   │ Ip:2803:9810:b0dc:110:90d:b6ad:7369:4a5c  │ Thief  │ ban    │         │    │ 1      │ 932h40m48s │ 630828   │
│ 82427028 │ cscli   │ Ip:45.191.80.187                          │ Thief  │ ban    │         │    │ 1      │ 932h40m40s │ 630825   │
│ 82427026 │ cscli   │ Ip:190.108.82.105                         │ Thief  │ ban    │         │    │ 1      │ 932h40m34s │ 630823   │
╰──────────┴─────────┴───────────────────────────────────────────┴────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
2 duplicated entries skipped

crowdsec-lapi-847d79d98f-v2grv:/# cscli decisions list -s Thief
╭──────────┬─────────┬───────────────────────────────────────────┬────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│    ID    │  Source │                Scope:Value                │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├──────────┼─────────┼───────────────────────────────────────────┼────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 83169374 │ cscli   │ Ip:67.21.32.150                           │ Thief  │ ban    │         │    │ 1      │ 959h45m26s │ 633280   │
│ 83169373 │ cscli   │ Ip:192.158.226.22                         │ Thief  │ ban    │         │    │ 1      │ 959h45m12s │ 633279   │
│ 82983365 │ cscli   │ Ip:67.21.32.149                           │ Thief  │ ban    │         │    │ 1      │ 959h23m4s  │ 633155   │
│ 82611451 │ console │ Ip:2806:262:483:8df:b01e:2c35:846d:48e6   │ Thief  │ ban    │         │    │ 0      │ 790h28m39s │ 631142   │
│ 82427033 │ cscli   │ Ip:2806:370:735b:6512:bc47:6dc8:3ccb:cb38 │ Thief  │ ban    │         │    │ 1      │ 932h41m3s  │ 630830   │
│ 82427031 │ cscli   │ Ip:2803:9810:b0dc:110:90d:b6ad:7369:4a5c  │ Thief  │ ban    │         │    │ 1      │ 932h40m48s │ 630828   │
│ 82427028 │ cscli   │ Ip:45.191.80.187                          │ Thief  │ ban    │         │    │ 1      │ 932h40m40s │ 630825   │
│ 82427026 │ cscli   │ Ip:190.108.82.105                         │ Thief  │ ban    │         │    │ 1      │ 932h40m34s │ 630823   │
╰──────────┴─────────┴───────────────────────────────────────────┴────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
2 duplicated entries skipped

Then some minutes ago, same command:

crowdsec-lapi-847d79d98f-v2grv:/# cscli decisions list -s Thief
╭──────────┬────────┬───────────────────────────────────────────┬────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│    ID    │ Source │                Scope:Value                │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├──────────┼────────┼───────────────────────────────────────────┼────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 83169823 │ cscli  │ Ip:2803:9810:b0dc:110:5989:db78:af47:325e │ Thief  │ ban    │         │    │ 1      │ 946h11m50s │ 633729   │
│ 83169374 │ cscli  │ Ip:67.21.32.150                           │ Thief  │ ban    │         │    │ 1      │ 944h45m45s │ 633280   │
│ 83169373 │ cscli  │ Ip:192.158.226.22                         │ Thief  │ ban    │         │    │ 1      │ 944h45m31s │ 633279   │
│ 82983365 │ cscli  │ Ip:67.21.32.149                           │ Thief  │ ban    │         │    │ 1      │ 944h23m23s │ 633155   │
╰──────────┴────────┴───────────────────────────────────────────┴────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
crowdsec-lapi-847d79d98f-v2grv:/#

crowdsec-lapi-847d79d98f-v2grv:/# cscli decisions list -s Thief
╭──────────┬────────┬───────────────────────────────────────────┬────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│    ID    │ Source │                Scope:Value                │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├──────────┼────────┼───────────────────────────────────────────┼────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 83169823 │ cscli  │ Ip:2803:9810:b0dc:110:5989:db78:af47:325e │ Thief  │ ban    │         │    │ 1      │ 946h11m50s │ 633729   │
│ 83169374 │ cscli  │ Ip:67.21.32.150                           │ Thief  │ ban    │         │    │ 1      │ 944h45m45s │ 633280   │
│ 83169373 │ cscli  │ Ip:192.158.226.22                         │ Thief  │ ban    │         │    │ 1      │ 944h45m31s │ 633279   │
│ 82983365 │ cscli  │ Ip:67.21.32.149                           │ Thief  │ ban    │         │    │ 1      │ 944h23m23s │ 633155   │
╰──────────┴────────┴───────────────────────────────────────────┴────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
crowdsec-lapi-847d79d98f-v2grv:/#

We can see the expiration wasn’t near to be reached for those which disappeared, even for the one inserted through the web console. How is it possible? Thank you.

_KaszpiR_•4mo ago

Next time check if the IP is already on the blocklists Hm also looks like you had two duplicate entries skipped

blotus•4mo ago

Can you do a SELECT * from decisions where value='45.191.80.187' ? The IP is part of the curated VPN/proxies list, maybe you are subscribed to it ? (pulling a blocklist with an IP you already have a decision for locally should not behaves like this, but maybe there's a bug) And do you see anything in crowdsec logs around the time the decision disappear ? (If you have a rough idea of when it disappeared) You should have a message if it was flushed automatically for some reason (or deleted from the console or anything)

ookOP•4mo ago

There’s an entry:

crowdsec=# SELECT * from decisions where value='45.191.80.187';
-[ RECORD 1 ]---+------------------------------
id              | 86413319
created_at      | 2025-08-27 13:24:18.236144+00
updated_at      | 2025-08-27 13:24:18.236145+00
until           | 2025-08-28 13:24:09+00
scenario        | crowdsec_proxy
type            | captcha
start_ip        | -9223372036087263044
end_ip          | -9223372036087263044
start_suffix    | -9223372036854775807
end_suffix      | -9223372036854775807
ip_size         | 4
scope           | Ip
value           | 45.191.80.187
origin          | lists
simulated       | f
uuid            |
alert_decisions | 662181

crowdsec=# SELECT * from decisions where value='45.191.80.187';
-[ RECORD 1 ]---+------------------------------
id              | 86413319
created_at      | 2025-08-27 13:24:18.236144+00
updated_at      | 2025-08-27 13:24:18.236145+00
until           | 2025-08-28 13:24:09+00
scenario        | crowdsec_proxy
type            | captcha
start_ip        | -9223372036087263044
end_ip          | -9223372036087263044
start_suffix    | -9223372036854775807
end_suffix      | -9223372036854775807
ip_size         | 4
scope           | Ip
value           | 45.191.80.187
origin          | lists
simulated       | f
uuid            |
alert_decisions | 662181

Indeed, I subscribed to Curated Proxy/VPN list Trying to get the logs about the flush… I see tons of

time="2025-08-26T20:54:04Z" level=info msg="flushed 14/5015 alerts because the max number of alerts has been reached (5000 max)"

look alike message. Maybe that limit of 5k is the problem?

blotus•4mo ago

The flush will keeps alerts that still have decisions so the issue is most likely with the fact the IP also belongs to a blocklist

ookOP•4mo ago

Could you eventually point where in the source code decisions can be flushed when importing blocklist? Maybe I could help to patch that.

blotus•4mo ago

The flush is not performed when pulling a blocklist, it's done automatically every minute. The code is here: https://github.com/crowdsecurity/crowdsec/blob/191f6537ef8fc31c44613770e449637d213d2957/pkg/database/flush.go#L228 The blocklist pull is done here: https://github.com/crowdsecurity/crowdsec/blob/191f6537ef8fc31c44613770e449637d213d2957/pkg/apiserver/apic.go#L599 More precisely by UpdateBlocklists (https://github.com/crowdsecurity/crowdsec/blob/191f6537ef8fc31c44613770e449637d213d2957/pkg/apiserver/apic.go#L1043) I'll try to do some testing to see what happens exactly, because quickly looking at the code, I don't see what could delete the decision when doing an update

Gaming

Programming

ban disappeared before expiration

Did you find this page helpful?